mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 09:53:10 +00:00
security: Introduce functions for input device hot(un)plug
Export the existing DAC and SELinux for separate use and introduce functions for stack, nop and the security manager.
This commit is contained in:
parent
cbf4242db7
commit
d8116b5a0a
@ -1276,6 +1276,7 @@ virSecurityManagerRestoreAllLabel;
|
|||||||
virSecurityManagerRestoreDiskLabel;
|
virSecurityManagerRestoreDiskLabel;
|
||||||
virSecurityManagerRestoreHostdevLabel;
|
virSecurityManagerRestoreHostdevLabel;
|
||||||
virSecurityManagerRestoreImageLabel;
|
virSecurityManagerRestoreImageLabel;
|
||||||
|
virSecurityManagerRestoreInputLabel;
|
||||||
virSecurityManagerRestoreMemoryLabel;
|
virSecurityManagerRestoreMemoryLabel;
|
||||||
virSecurityManagerRestoreSavedStateLabel;
|
virSecurityManagerRestoreSavedStateLabel;
|
||||||
virSecurityManagerSetAllLabel;
|
virSecurityManagerSetAllLabel;
|
||||||
@ -1285,6 +1286,7 @@ virSecurityManagerSetDiskLabel;
|
|||||||
virSecurityManagerSetHostdevLabel;
|
virSecurityManagerSetHostdevLabel;
|
||||||
virSecurityManagerSetImageFDLabel;
|
virSecurityManagerSetImageFDLabel;
|
||||||
virSecurityManagerSetImageLabel;
|
virSecurityManagerSetImageLabel;
|
||||||
|
virSecurityManagerSetInputLabel;
|
||||||
virSecurityManagerSetMemoryLabel;
|
virSecurityManagerSetMemoryLabel;
|
||||||
virSecurityManagerSetProcessLabel;
|
virSecurityManagerSetProcessLabel;
|
||||||
virSecurityManagerSetSavedStateLabel;
|
virSecurityManagerSetSavedStateLabel;
|
||||||
|
@ -2123,6 +2123,9 @@ virSecurityDriver virSecurityDriverDAC = {
|
|||||||
.domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel,
|
.domainSetSecurityMemoryLabel = virSecurityDACSetMemoryLabel,
|
||||||
.domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel,
|
.domainRestoreSecurityMemoryLabel = virSecurityDACRestoreMemoryLabel,
|
||||||
|
|
||||||
|
.domainSetSecurityInputLabel = virSecurityDACSetInputLabel,
|
||||||
|
.domainRestoreSecurityInputLabel = virSecurityDACRestoreInputLabel,
|
||||||
|
|
||||||
.domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
|
.domainSetSecurityDaemonSocketLabel = virSecurityDACSetDaemonSocketLabel,
|
||||||
.domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel,
|
.domainSetSecuritySocketLabel = virSecurityDACSetSocketLabel,
|
||||||
.domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel,
|
.domainClearSecuritySocketLabel = virSecurityDACClearSocketLabel,
|
||||||
|
@ -131,6 +131,12 @@ typedef int (*virSecurityDomainSetMemoryLabel) (virSecurityManagerPtr mgr,
|
|||||||
typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainRestoreMemoryLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
virDomainMemoryDefPtr mem);
|
virDomainMemoryDefPtr mem);
|
||||||
|
typedef int (*virSecurityDomainSetInputLabel) (virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr def,
|
||||||
|
virDomainInputDefPtr input);
|
||||||
|
typedef int (*virSecurityDomainRestoreInputLabel) (virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr def,
|
||||||
|
virDomainInputDefPtr input);
|
||||||
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
|
typedef int (*virSecurityDomainSetPathLabel) (virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr def,
|
virDomainDefPtr def,
|
||||||
const char *path);
|
const char *path);
|
||||||
@ -163,6 +169,9 @@ struct _virSecurityDriver {
|
|||||||
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
|
virSecurityDomainSetMemoryLabel domainSetSecurityMemoryLabel;
|
||||||
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
|
virSecurityDomainRestoreMemoryLabel domainRestoreSecurityMemoryLabel;
|
||||||
|
|
||||||
|
virSecurityDomainSetInputLabel domainSetSecurityInputLabel;
|
||||||
|
virSecurityDomainRestoreInputLabel domainRestoreSecurityInputLabel;
|
||||||
|
|
||||||
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
|
virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
|
||||||
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
|
virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
|
||||||
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
|
virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
|
||||||
|
@ -1116,3 +1116,39 @@ virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
virReportUnsupportedError();
|
virReportUnsupportedError();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int
|
||||||
|
virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr vm,
|
||||||
|
virDomainInputDefPtr input)
|
||||||
|
{
|
||||||
|
if (mgr->drv->domainSetSecurityInputLabel) {
|
||||||
|
int ret;
|
||||||
|
virObjectLock(mgr);
|
||||||
|
ret = mgr->drv->domainSetSecurityInputLabel(mgr, vm, input);
|
||||||
|
virObjectUnlock(mgr);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
virReportUnsupportedError();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int
|
||||||
|
virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr vm,
|
||||||
|
virDomainInputDefPtr input)
|
||||||
|
{
|
||||||
|
if (mgr->drv->domainRestoreSecurityInputLabel) {
|
||||||
|
int ret;
|
||||||
|
virObjectLock(mgr);
|
||||||
|
ret = mgr->drv->domainRestoreSecurityInputLabel(mgr, vm, input);
|
||||||
|
virObjectUnlock(mgr);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
virReportUnsupportedError();
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@ -172,6 +172,14 @@ int virSecurityManagerRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
virDomainMemoryDefPtr mem);
|
virDomainMemoryDefPtr mem);
|
||||||
|
|
||||||
|
int virSecurityManagerSetInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr vm,
|
||||||
|
virDomainInputDefPtr input);
|
||||||
|
int virSecurityManagerRestoreInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr vm,
|
||||||
|
virDomainInputDefPtr input);
|
||||||
|
|
||||||
|
|
||||||
int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
|
int virSecurityManagerDomainSetPathLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
const char *path);
|
const char *path);
|
||||||
|
@ -254,6 +254,14 @@ virSecurityDomainRestoreMemoryLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSE
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityDomainInputLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||||||
|
virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||||||
|
virDomainInputDefPtr input ATTRIBUTE_UNUSED)
|
||||||
|
{
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
virSecurityDriver virSecurityDriverNop = {
|
virSecurityDriver virSecurityDriverNop = {
|
||||||
.privateDataLen = 0,
|
.privateDataLen = 0,
|
||||||
@ -276,6 +284,9 @@ virSecurityDriver virSecurityDriverNop = {
|
|||||||
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
|
.domainSetSecurityMemoryLabel = virSecurityDomainSetMemoryLabelNop,
|
||||||
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
|
.domainRestoreSecurityMemoryLabel = virSecurityDomainRestoreMemoryLabelNop,
|
||||||
|
|
||||||
|
.domainSetSecurityInputLabel = virSecurityDomainInputLabelNop,
|
||||||
|
.domainRestoreSecurityInputLabel = virSecurityDomainInputLabelNop,
|
||||||
|
|
||||||
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
|
.domainSetSecurityDaemonSocketLabel = virSecurityDomainSetDaemonSocketLabelNop,
|
||||||
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
|
.domainSetSecuritySocketLabel = virSecurityDomainSetSocketLabelNop,
|
||||||
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,
|
.domainClearSecuritySocketLabel = virSecurityDomainClearSocketLabelNop,
|
||||||
|
@ -3064,6 +3064,9 @@ virSecurityDriver virSecurityDriverSELinux = {
|
|||||||
.domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel,
|
.domainSetSecurityMemoryLabel = virSecuritySELinuxSetMemoryLabel,
|
||||||
.domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel,
|
.domainRestoreSecurityMemoryLabel = virSecuritySELinuxRestoreMemoryLabel,
|
||||||
|
|
||||||
|
.domainSetSecurityInputLabel = virSecuritySELinuxSetInputLabel,
|
||||||
|
.domainRestoreSecurityInputLabel = virSecuritySELinuxRestoreInputLabel,
|
||||||
|
|
||||||
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
|
.domainSetSecurityDaemonSocketLabel = virSecuritySELinuxSetDaemonSocketLabel,
|
||||||
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel,
|
.domainSetSecuritySocketLabel = virSecuritySELinuxSetSocketLabel,
|
||||||
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel,
|
.domainClearSecuritySocketLabel = virSecuritySELinuxClearSocketLabel,
|
||||||
|
@ -666,6 +666,41 @@ virSecurityStackRestoreMemoryLabel(virSecurityManagerPtr mgr,
|
|||||||
return rc;
|
return rc;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityStackSetInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr vm,
|
||||||
|
virDomainInputDefPtr input)
|
||||||
|
{
|
||||||
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
for (; item; item = item->next) {
|
||||||
|
if (virSecurityManagerSetInputLabel(item->securityManager, vm, input) < 0)
|
||||||
|
rc = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
virSecurityStackRestoreInputLabel(virSecurityManagerPtr mgr,
|
||||||
|
virDomainDefPtr vm,
|
||||||
|
virDomainInputDefPtr input)
|
||||||
|
{
|
||||||
|
virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||||||
|
virSecurityStackItemPtr item = priv->itemsHead;
|
||||||
|
int rc = 0;
|
||||||
|
|
||||||
|
for (; item; item = item->next) {
|
||||||
|
if (virSecurityManagerRestoreInputLabel(item->securityManager,
|
||||||
|
vm, input) < 0)
|
||||||
|
rc = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
|
virSecurityStackDomainSetPathLabel(virSecurityManagerPtr mgr,
|
||||||
virDomainDefPtr vm,
|
virDomainDefPtr vm,
|
||||||
@ -711,6 +746,9 @@ virSecurityDriver virSecurityDriverStack = {
|
|||||||
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
|
.domainSetSecurityMemoryLabel = virSecurityStackSetMemoryLabel,
|
||||||
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
|
.domainRestoreSecurityMemoryLabel = virSecurityStackRestoreMemoryLabel,
|
||||||
|
|
||||||
|
.domainSetSecurityInputLabel = virSecurityStackSetInputLabel,
|
||||||
|
.domainRestoreSecurityInputLabel = virSecurityStackRestoreInputLabel,
|
||||||
|
|
||||||
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
|
.domainSetSecurityDaemonSocketLabel = virSecurityStackSetDaemonSocketLabel,
|
||||||
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
|
.domainSetSecuritySocketLabel = virSecurityStackSetSocketLabel,
|
||||||
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,
|
.domainClearSecuritySocketLabel = virSecurityStackClearSocketLabel,
|
||||||
|
Loading…
Reference in New Issue
Block a user